Releases: iamsopotatoe-coder/TinyLoad
TinyLoad v7.2
Tinyload v7.2
- added --noconsole flag for when you do not want a console
- Fixed a XXTEA bug which would make it break on previously packed executables with RustPacker.
- Added direct syscalls for stub apis
Graph:
TinyLoad v7.1
Tinyload v7.1
- XXTEA overlay encryption: payload encryption upgraded from XOR to XXTEA (Corrected Block TEA).
- dual thread key recombination: 128 bit XXTEA key split across two threads. Full key only exists transiently inside a WaitForSingleObject fence, then destroyed.
- Tail field randomisation: overlay Tail serialized in Fisher Yates randomized order per build.
- Anti debug improvements: PEB BeingDebugged and NtGlobalFlag checks before Win32 APIs. Catches debuggers that patch IsDebuggerPresent.
- PE compatibility: 32-bit/unknown machine rejection, section bounds overflow guards, import validation against SizeOfImage.
Graph:
Tinyload v7.0
Tinyload v7.0
- Encrypted product strings — help text, CLI flags, and version strings XOR encrypted at rest.
- Hidden overlay signature — "TINYLD60" marker XOR'ed with per-file stubKey derived from .text section.
- Encrypted overlay metadata — origSz, packSz, flags, dispKey, vmCodeSz, and canary fields individually XOR'ed with stubKey-derived keys.
- Encrypted VM bytecode — VM program blob XOR-encrypted with stubKey stream, appearing as uniform noise in the overlay.
- Encrypted tail offset — 4-byte EOF pointer XOR'ed with stubKey. Overlay start position not readable from a hex dump.
- Zero-filler interleave — overlay interleaved with zero bytes at 3:1 ratio. Entropy drops from ~7.96 to ~6.73 bits/byte, blending with normal PE section entropy.
- Canary corridor — 8 chained integrity checks embedded in VM bytecode after decryption. Each canary's expected value depends on the previous actual value. Failures escalate a cumulative corruption mask (1→8 bits) XOR'ed into the plaintext.
- VEH page-fault decryption — all PE section pages encrypted at runtime and set to PAGE_NOACCESS. Vectored exception handler decrypts on first access. Watchdog re-encrypts cold pages after 200ms idle. LRU cache (256 slots) with thread safe eviction.
- Overlay chunk splitting — payload split into 4 chunks scattered across the file with random junk gaps (128–640 bytes).
- Bug fixes — LDB_I/STB_I bounds checks, SizeOfImage==0 rejection, NumberOfSections cap, readVarInt signed-shift UB fix, relocation type validation, import truncation detection, vmCodeSz/origSz key de-duplication, keystream seed hardened with QueryPerformanceCounter.
Graph:
Tinyload v6.0
TinyLoad v6.0 "More Obfuscation"
What's new:
-
Control Flow Flattening on vmRun: switch statement replaced by
computed-goto dispatch table built from encrypted label offsets. -
Staged entry point: tryRun split into 6 stages dispatched through
a function pointer table. PE loader (runInMem) split into 5 stages
using the same pattern. -
Split opcode decoder: 28 opcodes randomly scattered across four
8-entry subtables, each XOR-encrypted with an independent key
derived from different slices of the payload and VM bytecode.
Cracking one subtable reveals at most 8 opcodes. -
String decryption noise: all encrypted strings pre-decrypted once
at startup, then noiseDecrypt() fires at scattered points (every
stage, every 64 VM iterations). -
Encrypted dispatch table: VM dispatch offsets never plaintext in
the packed binary. Packer reads live label offsets from its own
process, encrypts with random key, stores in tail. Packed stub
decrypts and recomputes dispatch at runtime. -
Full resource cloning: EnumResourceTypesA now clones all resource
types (RT_RCDATA, bitmaps, dialogs, string tables, fonts,
accelerators, etc.), not just icons and manifests. -
LZ compressor fix: hash-chain self-loop that was silently degrading
match quality is fixed. Compression improved ~2% across tested files. -
PE loader hardened: reloc SizeOfBlock underflow guard, relocation
target bounds validation, negative e_lfanew rejection, LoadLibraryA failure handling, import thunk
iteration cap, lzUnpack error propagation on corrupted/truncated data.Graph:
This update was alot of fun for me :D
Tinyload v5.0 Bug Fixes
- LZ compressor WINDOW=0x10000 overflowed 16-bit distance field to 0, causing decompression corruption and access violation crash on packed executables. Reduced to 0xFFFF.
- --i and --o now auto-append .exe if missing (e.g. --i calc works)
- 32 bit PE detection (as tinyload only supports 64 bit)
- Better error messages for invalid PE files and stub load failures
- PE loader bounds checks on headers, section copies, reloc/import directory walks to prevent crashes on malformed input.
Graph:
Tinyload v5.0
Tinyload v5.0
- opmap is now derived from file content via FNV hash (No longer plaintext)
- API and DLL name strings are XOR-encrypted, not visible in static analysis
- IAT wiped post load — OriginalFirstThunk, import names, and import directory zeroed after mapping, making dumps harder to reconstruct
- More opaque predicates
- junk NOP and self mov instructions inserted between real VM ops
- stub wrapper functions for key Win32 APIs routed through encrypted string resolution
- dead code functions added to inflate and confuse disassembly
Graph:
v4.0 Bug Fixes
Tinyload v4.0 is out!
- VM Opaque predicates
- Simple anti debugging (IsDebuggerPresent and CheckRemoteDebuggerPresent)
- PE Section Obfuscation
- Bug fixes from original v4.0 release
Graph:
Thanks for all of your support <3
v5.0 coming soon.
v4.0
Tinyload v4.0 is out!
- VM Opaque predicates
- Simple anti debugging (IsDebuggerPresent and CheckRemoteDebuggerPresent)
- PE Section Obfuscation
Graph:
Thanks for all of your support <3
v5.0 coming soon.
v3.1
- Added 8 new VM instructions (ROL, ROR, NOT, MULI, ROLI, RORI, CALL, RET) to expand the custom ISA and increase reverse engineering complexity.
- Implemented a 3-key encryption system with k1, k2, and k3 (golden ratio seed) using rotation-based key evolution for stronger protection.
- Enhanced keystream generation to use 192-bit state with rotations, multiplication, and NOT operations instead of simple XOR.
- Expanded opmap structure from 20 to 32 bytes to accommodate the new instruction set
I didnt want to touch the vm logic until after v4 but i found some stuff that needs to be fixed so thats why im doing v3.1
v4 will add better compression.
v3
v3 release!
- Custom vm encryption instead of xor
- Different opcodes every run
- Better in memory protection
v4 will add better compression